I count that as a plus. If the scanning is done on my device, they have zero reasons to scan the content in the cloud and thus can encrypt it at rest so nobody can access it even with a warrant.
But I've had this same argument a thousand times and it's like shouting at the tide and trying to stop it...
The reason you are likely wrong here is because it's an ownership boundary - the cloud service is understood to be renting, but you purchased the phone and own it.
What you are suggesting doesn't necessarily make zero sense to desire, but practically speaking I don't think it makes sense based on the transactions that have occurred in this scenario. They may have a right to do that stuff on the cloud, but they don't have a right to do it on your device. It has nothing to do with which is better.
...but they didn't scan anything unless you were uploading images to the cloud anyway.
Disable cloud upload -> no local scanning.
People were stumbling over each other in one of the biggest competitive misunderstanding contests of the 2020's and Apple backed down to shut people up just because nobody bothered to RTFM and just got angry based on random internet hot-takes that were based on incorrect assumptions.
But I've had this same argument a thousand times and it's like shouting at the tide and trying to stop it...